60,000 Oyster Cards Corrupted - Smart Card News
25.09.2014 Views
Share Embed Flag

60,000 Oyster Cards Corrupted - Smart Card News

60,000 Oyster Cards Corrupted - Smart Card News

60,000 Oyster Cards Corrupted - Smart Card News

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
smartcard.co.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

<strong>60</strong>,<strong>000</strong> <strong>Oyster</strong> <strong><strong>Card</strong>s</strong> <strong>Corrupted</strong><br />

By Dr David Everett, <strong>Smart</strong> <strong>Card</strong> & Identity <strong>News</strong> - July 08<br />

What a month at Transport for London (TfL) who has experienced two major outages of<br />

the <strong>Oyster</strong> card system. In the first system failure on the morning of Saturday 12th July<br />

which lasted some 5 hours <strong>60</strong>,<strong>000</strong> cards were corrupted such that TfL had to issue 42,<strong>000</strong><br />

new cards holding the existing balances. The second shutdown on Friday 25th July<br />

started at 5:30am and lasted several hours, on this occasion according to TfL there were<br />

no corrupted cards (although some commuters were overcharged because they were<br />

unable to check out) but the barriers had to be kept open during the morning rush hour.<br />

TfL have been quick to blame Transys the <strong>Oyster</strong> Travelcard provider consortium that<br />

includes EDS, Cubic Transportation Systems, Fujitsu Services Ltd and W. S. Atkins.<br />

Apparently Transys had sent ‘incorrect data tables’ to the <strong>Oyster</strong> card readers at 275<br />

underground stations (there are 287 in total).<br />

TfL has a 17 year contract with Transys which was awarded in 1998 and commenced<br />

operation in November 2002. The contract is worth £100m annually to Transys which<br />

supplies, operates and markets the RFID ticket system. Apparently the contract has a<br />

number of break clauses that allow for early termination and although Peter Hendry the<br />

Transport Commissioner has been reported as enraged at the <strong>Oyster</strong> malfunctions any<br />

such talk seems rather premature. It has been claimed that about 200,<strong>000</strong> pay as you go<br />

<strong>Oyster</strong> card users got a free ride on the second system failure for fares that would<br />

normally incur costs from £1-50 for a single Zone 1 journey to £4-90 for a maximum<br />

journey day cost. Given the time of day of the outage one suspects the direct lost revenue<br />

to be no more than £500,<strong>000</strong>. Perhaps this can be covered by a few forfeited bonuses in<br />

the Transys camp.

So what on earth is going on here? Two major outages within two weeks both due to the<br />

transmission of ‘incorrect data tables’ to all the <strong>Oyster</strong> <strong>Card</strong> Terminals, is such an<br />

accident possible or is there something more going on behind the scenes?<br />

We have been reporting in SCN this year of the breaches in the security of the Mifare<br />

chip which is the platform used by the <strong>Oyster</strong> card. In January we reported on the<br />

discoveries of Karsten Nohl (University of Virginia) and Henryk Plötz who effectively<br />

publically revealed much of the cryptographic architecture at the core of the Mifare chip.<br />

In March we revealed the work of the digital security group at Radboud University in the<br />

Netherlands who carried on with where Noel and Plotz left off. There can be no doubt<br />

that both teams had cracked the Mifare Crypto-1 algorithms and last month we reported<br />

on the Radboud team travelling the London Underground for free.<br />

It gets worse because NXP (nee Philips Semiconductors) who own (Mifare is proprietary<br />

technology) and manufacture the Mifare chips have now lost a ruling in the Netherlands<br />

to block the Radboud University team from publishing their results. Mifare is now used<br />

in up to a billion smart cards in mass transit and physical access control applications.<br />

Nobody doubts that it will take years and significant costs to fix the problem which<br />

means changing the cards, the smart card readers and some of the software middleware<br />

that handles the application on the card. Involved in all of this is the cryptographic key<br />

management, let nobody fool you, this needs to be changed as well.<br />

If you were Transys the first thing you would try to do is to enhance the application<br />

security around the use of the smart card. You can’t do anything about the cryptography<br />

because that is deeply buried in the chips and can’t be changed (without changing the<br />

chip). So the next best thing is to try and detect counterfeit cards or even authentic cards<br />

where the data on the card has been manipulated. Can you imagine somebody selling a<br />

kit for <strong>Oyster</strong> card users to reset the value on their cards, this is effectively what the<br />

Radboud University team demonstrated in London.<br />

So more about those ‘incorrect data tables’ what could that mean? Now as far as I know<br />

the cost of the journeys on the London Underground have not changed for some time and<br />

certainly not in the month of July so it’s not obvious that there would be any changes<br />

here. But how about hot card lists? At the end of the day software on the Transys servers<br />

could examine what the cards are up to, and notice everything seems to be linked to pay<br />

as you go, which has a weaker registration system? If cards were being manipulated then<br />

it should be possible to detect this back at base which should have a record of value loads<br />

and spends. Each Mifare card has a unique (well its supposed to be although there have<br />

been reports of duplicates) ID number which would be more difficult for the home user to<br />

change although given the attacks reported previously any thing else relating to the<br />

<strong>Oyster</strong> card application could be changed. With all this information Transys could send<br />

out hot card lists to disable these suspect cards, this is what appeared to happen on the<br />

first system failure. As an alternative you could just refuse access to the suspect cards on<br />

the hot list and that perhaps is what happened on the latest system failure.

A much longer conversation is what do you do in such a situation? Conceptually there is<br />

nothing new here, magnetic stripe bank cards were around for years, long after it was<br />

widely reported on how easy it was (complete with instructions) to create counterfeit<br />

cards. It’s all about risk management and most important the stakeholders, who actually<br />

loses money (and/or credibility) when the system is attacked?<br />

Rumours abound that ITSO has produced a migration strategy from the use of Mifare<br />

cards to another approved Customer Media. At first sight that would appear to provide<br />

two options or three if you count the new NXP Mifare Plus chip yet to be released. That<br />

would mean the NXP DESFire or the general purpose CPU card with an ISO 7816-4 file<br />

structure configured as an ITSO structure. Given the opportunity which way wouldn’t<br />

you go? Watch this space for more news on DESFire.<br />

According to the Transys website the ‘<strong>Oyster</strong>’ brand was adopted as a name representing<br />

security and value coming from the concepts of the oyster shell and pearl, I expect right<br />

now they might want to eat their words. Thinking of food I wonder if the Octopus card in<br />

Hong Kong has similar problems?<br />

David Everett

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!